package pl.edu.icm.yadda.aas.proxy;

import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import java.util.Set;
import org.apache.commons.lang.NotImplementedException;
import org.opensaml.lite.xacml.policy.ObligationType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.client.YaddaErrorAwareResult;
import pl.edu.icm.yadda.aas.client.authz.lic.LicensingAuthorizationFacade;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.criterion.CriterionCreatorResponse;
import pl.edu.icm.yadda.aas.proxy.criterion.ICriterionCreatorManager;
import pl.edu.icm.yadda.aas.proxy.evaluator.EvaluatorResult;
import pl.edu.icm.yadda.aas.proxy.evaluator.ILicenseEvaluator;
import pl.edu.icm.yadda.aas.proxy.evaluator.LicenseEvaluatorContext;
import pl.edu.icm.yadda.aas.proxy.token.CacheEntry;
import pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService;
import pl.edu.icm.yadda.aas.proxy.token.TokenSecurityException;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.service2.archive.IdResponse;
import pl.edu.icm.yadda.service2.archive.ListArchiveRequest;
import pl.edu.icm.yadda.service2.archive.RetrieveResponse;
import pl.edu.icm.yadda.service3.ArchiveObject2Meta;
import pl.edu.icm.yadda.service3.archive.GetArchive2ObjectRequest;
import pl.edu.icm.yadda.service3.archive.GetArchive2ObjectResponse;
import pl.edu.icm.yadda.service3.archive.GetArchive2ObjectsRequest;
import pl.edu.icm.yadda.service3.archive.IArchive2;
import pl.edu.icm.yadda.service3.archive.ListArchiveObjects2Response;
import pl.edu.icm.yadda.service3.archive.ListArchiveRequest2;
import pl.edu.icm.yadda.service3.archive.RetrieveRequest;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.11.1.jar:pl/edu/icm/yadda/aas/proxy/SecuredArchive2.class */
public class SecuredArchive2 extends TokenAwareSecuredService<String, String[]> implements IArchive2 {
    protected LicensingAuthorizationFacade licAuthzFacade;
    private IArchive2 archive;
    private List<ILicenseEvaluator<String[]>> evaluators;
    private ICriterionCreatorManager<String[]> criterionCreatorManager;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected Random rand = new Random();
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    protected boolean evaluateAccess(Collection<ObligationType> collection, LicenseEvaluatorContext<String[]> licenseEvaluatorContext) {
        for (ILicenseEvaluator<String[]> iLicenseEvaluator : this.evaluators) {
            EvaluatorResult evaluate = iLicenseEvaluator.evaluate(collection, licenseEvaluatorContext);
            if (evaluate.getStatus() == EvaluatorResult.Status.PERMIT) {
                return true;
            }
            if (evaluate.getStatus() == EvaluatorResult.Status.DENY) {
                this.log.debug("evaluation with module " + iLicenseEvaluator.getClass().getName() + " failed");
            } else if (evaluate.getStatus() == EvaluatorResult.Status.ERROR) {
                this.log.warn("evaluation with module " + iLicenseEvaluator.getClass().getName() + " finished with error: " + evaluate.getError().getMssg(), (Throwable) evaluate.getError().getException());
            }
        }
        this.log.error("Permission not granted to retrieve resource id='" + licenseEvaluatorContext.getStoredObjectId() + "'");
        return false;
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public GetArchive2ObjectResponse getObject(GetArchive2ObjectRequest getArchive2ObjectRequest) {
        GetArchive2ObjectResponse object = this.archive.getObject(getArchive2ObjectRequest);
        if (object.isOK() && object.getResult() != null) {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(getArchive2ObjectRequest));
            if (retrieveLicenseObligations.getError() == null) {
                return evaluateAccess(retrieveLicenseObligations.getData(), new LicenseEvaluatorContext<>(getArchive2ObjectRequest.getId().getId(), object.getResult().getTags())) ? object : new GetArchive2ObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to retrieve resource id='" + getArchive2ObjectRequest.getId().getId() + "'!"));
            }
            this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
            return new GetArchive2ObjectResponse(retrieveLicenseObligations.getError());
        }
        return object;
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public ListArchiveObjects2Response listObjects(ListArchiveRequest listArchiveRequest) {
        throw new NotImplementedException("this method is deprecated, use pl.edu.icm.yadda.service3.archive.IArchive2#listObjects(pl.edu.icm.yadda.service3.archive.ListArchiveRequest2) instead!");
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public ListArchiveObjects2Response listObjects(ListArchiveRequest2 listArchiveRequest2) {
        YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(listArchiveRequest2));
        if (retrieveLicenseObligations.getError() != null) {
            this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
            return new ListArchiveObjects2Response(retrieveLicenseObligations.getError());
        }
        CriterionCreatorResponse<String[]> createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        if (listArchiveRequest2.getResumptionToken() == null) {
            if (!shouldBeProcessed(createCriteria)) {
                this.log.debug("no permission to list objects: no security tags found!");
                return new ListArchiveObjects2Response(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to list objects: no security tags found!"));
            }
            if (createCriteria.getSecurityCriterion() != null) {
                listArchiveRequest2.setTags(addSecurityTags(listArchiveRequest2.getTags(), createCriteria.getSecurityCriterion()));
            }
            ListArchiveObjects2Response listObjects = this.archive.listObjects(listArchiveRequest2);
            listObjects.setResumptionToken(storeEntry(listObjects.getResumptionToken(), createCriteria));
            return listObjects;
        }
        try {
            CacheEntry<String, String[]> cachedEntryWithSecurityCriterionCheckAndRemoval = getCachedEntryWithSecurityCriterionCheckAndRemoval(listArchiveRequest2.getResumptionToken(), createCriteria);
            if (cachedEntryWithSecurityCriterionCheckAndRemoval == null) {
                String str = "invalid resumption token: " + listArchiveRequest2.getResumptionToken();
                this.log.debug(str);
                return new ListArchiveObjects2Response(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
            }
            listArchiveRequest2.setResumptionToken(cachedEntryWithSecurityCriterionCheckAndRemoval.getInternalToken());
            ListArchiveObjects2Response listObjects2 = this.archive.listObjects(listArchiveRequest2);
            listObjects2.setResumptionToken(storeEntry(listObjects2.getResumptionToken(), cachedEntryWithSecurityCriterionCheckAndRemoval.getSecurityCriterion()));
            return listObjects2;
        } catch (TokenSecurityException e) {
            this.log.debug("Security constraints were violated: security criteria have changed!");
            return new ListArchiveObjects2Response(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Security constraints were violated: security criteria have changed!", e));
        }
    }

    protected boolean shouldBeProcessed(CriterionCreatorResponse<String[]> criterionCreatorResponse) {
        if (criterionCreatorResponse.isAllowAll()) {
            return true;
        }
        return criterionCreatorResponse.getSecurityCriterion() != null && criterionCreatorResponse.getSecurityCriterion().length > 0;
    }

    /* JADX WARN: Type inference failed for: r0v14, types: [java.lang.String[], java.lang.String[][]] */
    /* JADX WARN: Type inference failed for: r0v6, types: [java.lang.String[], java.lang.String[][]] */
    private static String[][] addSecurityTags(String[][] strArr, String[] strArr2) {
        if (strArr2 == null || strArr2.length <= 0) {
            return strArr;
        }
        if (strArr == null || strArr.length <= 0) {
            return new String[]{strArr2};
        }
        ?? r0 = new String[strArr.length + 1];
        for (int i = 0; i < strArr.length; i++) {
            r0[i] = strArr[i];
        }
        r0[r0.length - 1] = strArr2;
        return r0;
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public ListArchiveObjects2Response queryObjects(GetArchive2ObjectsRequest getArchive2ObjectsRequest) {
        ListArchiveObjects2Response queryObjects = this.archive.queryObjects(getArchive2ObjectsRequest);
        if (queryObjects == null || queryObjects.getPage() == null) {
            return queryObjects;
        }
        YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(getArchive2ObjectsRequest));
        if (retrieveLicenseObligations.getError() != null) {
            this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
            return new ListArchiveObjects2Response(retrieveLicenseObligations.getError());
        }
        Set<ObligationType> data = retrieveLicenseObligations.getData();
        Iterator<ArchiveObject2Meta> it = queryObjects.getPage().iterator();
        while (it.hasNext()) {
            ArchiveObject2Meta next = it.next();
            if (!evaluateAccess(data, new LicenseEvaluatorContext<>(next.getId(), next.getTags()))) {
                if (getArchive2ObjectsRequest.isFailWhenAccessDenied()) {
                    String str = "access denied when accessing object: " + next.getId() + " for path: " + getArchive2ObjectsRequest.getPath();
                    this.log.warn(str);
                    return new ListArchiveObjects2Response(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
                }
                this.log.debug("removing" + next.getId() + " from result list!");
                it.remove();
            }
        }
        return queryObjects;
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public RetrieveResponse readChunk(RetrieveRequest retrieveRequest) {
        if (retrieveRequest.getToken() == null) {
            GetArchive2ObjectRequest getArchive2ObjectRequest = new GetArchive2ObjectRequest();
            this.securityRequestHandler.attach(getArchive2ObjectRequest, this.securityRequestHandler.extract(retrieveRequest));
            getArchive2ObjectRequest.setFetchAllParts(false);
            getArchive2ObjectRequest.setFetchChildren(false);
            getArchive2ObjectRequest.setId(retrieveRequest.getOwnerId());
            GetArchive2ObjectResponse object = getObject(getArchive2ObjectRequest);
            if (!object.isOK()) {
                return new RetrieveResponse(object.getError());
            }
            RetrieveResponse readChunk = this.archive.readChunk(retrieveRequest);
            if (readChunk.getDataChunk() != null && readChunk.getDataChunk().getToken() != null) {
                readChunk.getDataChunk().setToken(storeEntry(readChunk.getDataChunk().getToken(), null));
            }
            return readChunk;
        }
        try {
            CacheEntry<String, String[]> cachedEntryWithSecurityCriterionCheckAndRemoval = getCachedEntryWithSecurityCriterionCheckAndRemoval(retrieveRequest.getToken(), null);
            if (cachedEntryWithSecurityCriterionCheckAndRemoval == null) {
                String str = "invalid resumption token: " + retrieveRequest.getToken();
                this.log.debug(str);
                return new RetrieveResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
            }
            retrieveRequest.setToken(cachedEntryWithSecurityCriterionCheckAndRemoval.getInternalToken());
            RetrieveResponse readChunk2 = this.archive.readChunk(retrieveRequest);
            if (readChunk2.getDataChunk() != null && readChunk2.getDataChunk().getToken() != null) {
                readChunk2.getDataChunk().setToken(storeEntry(readChunk2.getDataChunk().getToken(), null));
            }
            return readChunk2;
        } catch (TokenSecurityException e) {
            String str2 = "Security constraints were violated: security criteria have changed for token " + retrieveRequest.getToken();
            this.log.debug(str2);
            return new RetrieveResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str2, e));
        }
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.archive.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service3.archive.IArchive2
    public IdResponse getArchiveId(GenericRequest genericRequest) {
        return this.archive.getArchiveId(genericRequest);
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return this.archive.getVersionResponse(genericRequest);
    }

    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public boolean equals(CriterionCreatorResponse<String[]> criterionCreatorResponse, CriterionCreatorResponse<String[]> criterionCreatorResponse2) {
        if (criterionCreatorResponse == null) {
            return criterionCreatorResponse2 == null;
        }
        if (criterionCreatorResponse2 == null) {
            return false;
        }
        if (criterionCreatorResponse.isAllowAll()) {
            return criterionCreatorResponse2.isAllowAll();
        }
        if (criterionCreatorResponse2.isAllowAll()) {
            return false;
        }
        return SecurityCriterionComparatorHelper.equals(criterionCreatorResponse.getSecurityCriterion(), criterionCreatorResponse2.getSecurityCriterion());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public String generateExternalToken(String str) {
        return System.currentTimeMillis() + "-" + this.rand.nextInt(100);
    }

    @Required
    public void setArchive(IArchive2 iArchive2) {
        this.archive = iArchive2;
    }

    @Required
    public void setLicAuthzFacade(LicensingAuthorizationFacade licensingAuthorizationFacade) {
        this.licAuthzFacade = licensingAuthorizationFacade;
    }

    @Required
    public void setEvaluators(List<ILicenseEvaluator<String[]>> list) {
        this.evaluators = list;
    }

    @Required
    public void setCriterionCreatorManager(ICriterionCreatorManager<String[]> iCriterionCreatorManager) {
        this.criterionCreatorManager = iCriterionCreatorManager;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }
}
